Mind Matters Natural and Artificial Intelligence News and Analysis
Terracotta warriors, China
Licensed via Adobe Stock

China’s Data Laws Restrict Businesses and Favor the State

The Data Security Law and the Personal Information Protection Law are part of the Chinese government’s plan to steer the private sector toward State goals

In previous articles, I looked at how the Chinese government is reigning in China’s tech sector first of Jack Ma and Ant Group’s initial public offering on the Shenzhen and Hong Kong stock exchanges and then Didi Global, Inc. The Chinese government has since passed two data laws and released an update that clarifies the 2017 Cybersecurity Law. The result is better protections of citizens’ data from being used, exploited, or sold by private companies, and encroaching government presumption of the private sector in which the State has virtually unrestricted access to and jurisdiction over private companies’ data. 

Clarification of the 2017 Cybersecurity Law

The Cyberspace Administration of China (CAC) gained oversight powers over other state agencies in 2014 under Xi Jinping. Jane Li in Quartz gives a helpful overview of how the Cyberspace Administration of China became a super agency that coordinates the multiple agencies involved in regulating cyberspace. The U.S. and Europe do not have an analogous governing body. Rather, internet regulations are somewhat piecemeal. For example, California, Colorado, and Virginia all have consumer data laws, but there isn’t a single federal agency that oversees internet data. (The Federal Trade Commission and the Federal Communication Commission oversee some consumer rights.) Additionally, while in the U.S. tech companies can contest regulations in court or negotiate with authorities, Chinese tech companies have no choice but to comply with the CAC. 

Two years after the CAC was formed, it passed a cybersecurity law that was put into effect June 1, 2017. This law restricted where foreign companies can store data acquired from Chinese users, specifying that the data must be stored within China’s borders. Both Apple and Tesla have run up against this law. It also called for stricter oversight for companies that operate as a “critical information infrastructure.” What exactly constitutes a “critical information infrastructure” has been unclear, leaving many companies wondering if they would be hit by regulators.

Last July, several days after Didi Global, Inc. had an initial public offering on the New York Stock Exchange, the company was subjected to a cybersecurity review under rules that applied to Critical Information Infrastructure. A month later, on August 17, 2021, the State Council issued the Critical Information Infrastructure Security Protection Regulations which clarified what constitutes a Critical Information Infrastructure (namely, any company that obtains user data), how companies need to manage cybersecurity, and the responsibilities of the various bureaucratic agencies on cyber security. According to DigiChina, the Ministry of Public Security will oversee Critical Information Infrastructure nationally, while regulators from each sector will develop rules for their particular areas of oversight. The CAC will coordinate all of this. From DigiChina’s analysis:

If this sounds like a recipe for a bureaucratic tug-of-war, that may be because it’s the result of one: Key agencies such as CAC, MPS, the Ministry of Industry and Information Technology (MIIT), and the Ministry of State Security (MSS) have long had different approaches to cybersecurity—a situation that in part led to the original establishment of the CAC in 2014 and years of subsequent legislative efforts.

Paul Triolo, Samm Sacks, Graham Webster, and Rogier Creemers, “After 5 Years, China’s Cybersecurity Rules for Critical Infrastructure Come into Focus” at DigiChina

Personal Information Protection Law

The regulations on Critical Information Infrastructure were published the same week that the Standing Committee of the 13th National People’s Congress passed the Personal Information Protection Law. This law will go into effect on November 1, 2021, and places restrictions on how private companies can use data acquired from its users and requirements for data security. The law is analogous to the General Data Protection Regulations (GDPR) in the European Union, but with a catch. In the European Union, the governments are accountable to their citizens, and therefore beholden to the same laws on data collection. China’s governing bodies, on the other hand, still have unrestricted access to data because of the law’s emphasis on national security. The Chinese government sees any data about China as a national security issue, but this justification ends up placing the government above the law and accountable to no one. 

The Wall Street Journal reports,

Though the new privacy rules could allow China’s central government to control how lower-level agencies use and share data, nothing suggests “anything resembling legal limits on government surveillance,” said Karman Lucero, a fellow at the Yale Law School Paul Tsai China Center. “Chinese civil society still has very limited means of ‘watching the watchmen,’” he added.

Eva Xiao, “China Passes One of the World’s Strictest Data-Privacy Laws” at Wall Street Journal

Some of the provisions of the law restrict the use of facial recognition cameras by private companies, do not allow for algorithmic discrimination based on previous purchases or income, and offers consumers the option to opt-out of personalized marketing. However, as we’ve seen with police use of surveillance and algorithms in places like Xinjiang, the government is not held to these same standards.

This law goes hand-in-hand with Data Security Law, passed earlier this summer and goes into effect September 1. This law classifies private sector data based on its importance to the State, particularly in regard to national security, and places data management under the purview of the Chinese government. 

Not Done Yet…Algorithm Regulations

As I was writing this article, the CAC posted a 30-point draft proposal on “algorithm recommendation management regulations” which would place restrictions on private companies’ algorithms. Earlier this year, the China Consumers Administration released a statement outlining the ways companies “bully” consumers into making purchases using algorithms. The new draft proposal from the CAC requires greater transparency in how companies’ algorithms work, specifying that their algorithms cannot “go against public order and good customs, such as by leading users to addiction or high-value consumption.”

Like the data privacy laws and the personal information laws, there is much to like about these regulations. Calling on companies to be more transparent with their algorithmic models and to practice ethical use of algorithms is something that several AI ethicists and technologists have called on.

Analysts agree that China’s data laws will likely influence other countries, including the U.S., as they formulate their own regulations on data usage and privacy. But the undercurrent is one in which the CCP under Xi Jinping’s leadership presumes that data is power and only the State is permitted to wield that power.

According to the Wall Street Journal, Xi Jinping places Big Data on the same level as land, labor, and capital when it comes to essential elements to the economy. The Data Security Law and the Personal Information Protection Law are part of the Chinese government’s plan to steer the private sector toward State goals, which were outlined in a September 2020 communication from the General Office of the Central Committee of the Chinese Communist Party, the “Opinion on Strengthening the United Front Work of the Private Economy in the New Era,” which seeks to build a “modern private enterprise system with Chinese characteristics.”

Essentially, private companies (particularly tech companies) were allowed to innovate and compete like Western free markets for a time. That changed when Xi Jinping took office. The Wall Street Journal has a helpful article outlining how billionaire Jack Ma fell out of grace with the CCP. For one, Jack Ma “behaved too much liken an American entrepreneur” and those that sympathize with Ma told the Journal that “Mr. Ma was being punished for acting in ways that reward tech moguls in Western economies—pushing innovation, seeking market domination, creating new products, lobbying for looser regulation and making money.” However, as we will see in a subsequent article, Xi Jinping is steering China back to a socialist system.

You may also wish to read:

What’s Behind China’s Crackdown on Big Tech? Both China and the U.S. are treating big tech with a heavy hand, but under different motivations. There’s a saying in the gambling industry: the house always wins. In an authoritarian, or neo-totalitarian, regime, the Party always wins. (Heather Zeiger)

China Sharply Reins in Big Tech Amid All-Digital Currency Rollout. Ant Group must turn over its vast customer database to the government in exchange for the easing of strict regulations. China may be aiming to nationalize the country’s financial services, giving the government control over all transactions, credit scores, and savings. (Heather Zeiger)

Heather Zeiger

Heather Zeiger is a freelance science writer in Dallas, TX. She has advanced degrees in chemistry and bioethics and writes on the intersection of science, technology, and society. She also serves as a research analyst with The Center for Bioethics & Human Dignity. Heather writes for bioethics.com, Salvo Magazine, and her work has appeared in RelevantMercatorNet, Quartz, and The New Atlantis.

China’s Data Laws Restrict Businesses and Favor the State